A modern industrial plant is typically a complicated environment comprising an integrated system of automated production equipment, monitoring systems, and computers that control the equipment responsive to data provided by the monitoring systems and human instruction. By way of example, the plant may comprise: production equipment, such as production robots, and chemical reactors; component delivery systems, such as conveyor belts, and pick and place machines; and monitoring systems, such as visual inspection systems and water quality monitors. The various plant components are controlled and monitored in real time to cooperate and automatically perform a production job to which the plant is assigned by control signals transmitted over a plant communication network. Communication devices and computational resources that transmit and receive the control signals through the plant communication network are collectively referred to as an Industrial control system (“ICS”). The control signals are typically in the form of a data packet. A data packet typically includes a header that carries certain types of metadata and routing information in addition to a payload. For convenience of presentation, data packets used in an ICS for control and monitoring of industrial plant components may be referred to herein as industrial protocol (“IndProt”) packets.
ICSs were originally programmed with proprietary applications. The proprietary applications did not interface with standard communication network applications and data processing programs that are the backbone of non-industrial communication networks and data systems that are typically used in the home and in non-manufacturing, hereinafter “enterprise”, organizations. As a result, ICSs were considered to be relatively immune to any of the various security threats, such as, denial of service attacks, viruses, worms, and unauthorized access, hereinafter referred to generically as “malware”, that often compromise software used in the home and enterprise systems.
However, as complexity of automated industrial plants and ICSs that govern them have increased, and the competitiveness of industrial plants has become increasingly dependent on their ability to respond flexibly and rapidly to changing global market conditions, ICSs have become ever more intimately networked with enterprise network systems that use standard software, such as, Ethernet, TCP/IP, HTTP and Windows. As a result, ICSs have become increasingly exposed and sensitive to the same security threats that plague computers and software used in the home and in enterprise systems.
In response to increased exposure to security threats, industrial plants have adopted methods and devices to protect ICSs that are similar to methods and devices, such as various configurations of firewalls, which are used to protect home and enterprise communication networks and data systems.
However, malfunctioning of, and/or down time, in a modern automated industrial plant is generally extremely expensive and can carry substantial liability. Manufacturing components and processes in the plant are interdependent, and typically must operate in synchrony. Malware damage to a component of an automated industrial plant can therefore be amplified well beyond any particular damage to the component, and well beyond what might be sustained by an enterprise communication and data system or home computer data system damaged by the same malware. Thus, Intrusion Detection Systems (IDSs) that detect and respond to anomalies in ICS data traffic indicating malware presence have become a critical element to ensure proper functioning of modern automated industrial plants.